SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG
DONATE


YUM REPOSITORY

 
 

MAN page from CentOS Other silk-common-3.19.1-3.el8.x86_64.rpm

silk

Section: SiLK Tool Suite (7)
Updated: 2021-01-04
Index 

NAME

SiLK - the System for Internet-Level Knowledge 

DESCRIPTION

SiLK is a collection of traffic analysis tools developed by the CERTNetwork Situational Awareness Team (CERT NetSA) to facilitate securityanalysis of large networks. The SiLK tool suite supports theefficient collection, storage, and analysis of network flow data,enabling network security analysts to rapidly query large historicaltraffic data sets. SiLK is ideally suited for analyzing traffic onthe backbone or border of a large, distributed enterprise or mid-sizedISP.

A SiLK installation consists of two categories of applications: theanalysis suite and the packing system. 

Analysis Suite

The SiLK analysis suite is a collection of command-line tools forprocessing SiLK Flow records created by the SiLK packing system.These tools read binary files containing SiLK Flow records andpartition, sort, and count these records. The most important analysistool is rwfilter(1), an application for querying the central datarepository for SiLK Flow records that satisfy a set of filteringoptions. The tools are intended to be combined in various ways toperform an analysis task. A typical analysis uses UNIX pipes andintermediate data files to share data between invocations of tools.

The tools, configuration files, and plug-in modules that make up theanalysis tools are listed below, roughly grouped by functionality.

Filtering, Sorting, and Display

rwfilter(1) partitions SiLK Flow records into one or more 'pass'and/or 'fail' output streams. rwfilter is the primary tool forpulling flows from the data store.

silk.conf(5) is the configuration file naming the Classes, Types,and Sensors available at your installation.

rwsort(1) sorts SiLK Flow records using a user-specified keycomprised of record attributes, and writes the records to the namedoutput path or to the standard output. Users may define new keyfields using plug-ins written in C or PySiLK.

rwcut(1) prints the attributes of SiLK Flow records in a delimited,columnar, human-readable format. Users may define new printableattributes using plug-ins written in C or PySiLK.

SiLK Python Extension

pysilk(3). PySiLK, the SiLK Python extension, allows one to read,manipulate, and write SiLK Flow records, IPsets, and Bags from withinPython. PySiLK may be used in a stand-alone Python program or towrite plug-ins for several SiLK applications. This document describesthe objects, methods, and functions that PySiLK provides. The nextentry describes using PySiLK from within a plug-in.

silkpython(3). The SiLK Python plug-in provides a way to usePySiLK to define new partitioning rules for rwfilter(1), new keyfields for rwcut(1), rwgroup(1), and rwsort(1), and new keyor value fields for rwstats(1) and rwuniq(1).

Counting, Grouping, and Mating

rwuniq(1) bins (groups) SiLK Flow records by a user-specified keycomprised of record attributes and prints the total byte, packet,and/or flow counts for each bin. rwuniq may also print distinctsource IP and destination IP counts. Users may define new key fieldsand value fields using plug-ins written in C or PySiLK.

rwcount(1) summarizes SiLK Flow records across time, producingtextual output with counts of bytes, packets, and flow records foreach time bin.

rwstats(1) summarizes SiLK Flow records by a user-specified keycomprised of record attributes, computes values from the flow recordsthat match each key, sorts the results by the value to generate aTop-N or Bottom-N list, and prints the results. Users may define newkey fields and value fields using plug-ins written in C or PySiLK.

rwtotal(1) summarizes SiLK Flow records by a specified key andprints the sum of the byte, packet, and flow counts for flows matchingthe key.

rwaddrcount(1) summarizes SiLK flow records by the source ordestination IP and prints the byte, packet, and flow counts for eachIP.

rwgroup(1) groups SiLK flow records by a user-specified keycomprised of record attributes, labels the records with a group IDthat is stored in the next-hop IP field, and writes the resultingflows to the specified output path or to the standard output.rwgroup requires that its input is sorted.

rwmatch(1) matches (mates) records as queries and responses andmarks mated records with an ID that is stored in the next-hop IPfield. rwmatch requires that its input is sorted.

IPsets, Bags, Aggregate Bags, and Prefix Maps

An IPset is a data structure and a binary file format that containsa list of IP addresses where each IP appears once (a mathematicalset).

A Bag is a data structure and a binary file format where a key ismapped to a counter (similar to a hash table or Python dictionary).The key is either a 32-bit number or an IPv6 address, and the counteris a 64-bit number. Usually the key represents an aspect of a flowrecord (an IP address, a port number, the protocol) and the counter isa volume (the number of flow records, the sum of the packet counts)for the flow records that match that key.

An Aggregate Bag is similar to a Bag except the key and/or thecounter may be comprised of multiple fields. Aggregate Bags wereintroduced in SiLK 3.15.0.

A prefix map is a data structure and file format that maps everyIP address to string. An example prefix map gives the two-lettercountry code for any IP address.

rwset(1) reads SiLK Flow records and generates binary IPset file(s)containing the source IP addresses or destination IP addresses seen onthe flow records.

rwsetbuild(1) reads (textual) IP addresses in dotted-quad or CIDRnotation from an input file or from the standard input and writes abinary IPset file.

rwsetcat(1) prints the contents of a binary IPset file as text.Additional information about the IPset file may be printed.

rwsettool(1) performs union, intersection, difference, and samplingfunctions on the input IPset files, generating a new IPset file.

rwsetmember(1) determines whether the IP address specified on thecommand line is contained in an IPset.

rwbag(1) reads SiLK Flow records and builds binary Bag(s)containing key-count pairs. An example is a Bag containing the sum ofthe byte counts for each source port seen on the flow records.

rwbagbuild(1) creates a binary Bag file from a binary IPset file orfrom a textual input file.

rwbagcat(1) prints binary Bag files as text.

rwbagtool(1) performs operations (e.g., addition, subtraction) onbinary Bag files and produces a new Bag file.

rwaggbag(1) reads SiLK Flow records and builds a binary AggregateBag containing key-count pairs. An example is a Aggregate Bagcontaining the sum of the byte counts for each source port seen on theflow records. Since SiLK 3.15.0.

rwaggbagbuild(1) creates a binary Aggregate Bag file from a textualinput file. Since SiLK 3.15.0.

rwaggbagcat(1) prints binary Aggregate Bag files as text. SinceSiLK 3.15.0.

rwaggbagtool(1) performs operations (e.g., addition, subtraction)on binary Aggregate Bag files and produces a new Aggregate Bag file.Since SiLK 3.15.0.

rwpmapbuild(1) reads textual input and creates a binary prefix mapfile for use with the Address Type (addrtype(3)) and Prefix Map(pmapfilter(3)) utilities.

rwpmapcat(1) prints information about a prefix map file as text.By default, prints each IP range in the prefix map and its label.

rwpmaplookup(1) finds information about specific IP address(es) orprotocol/port pair(s) in a binary prefix map file and prints theresult as text.

rwipaimport(1) imports a SiLK IPset, Bag, or Prefix Map file intothe IP Address Association (IPA <http://tools.netsa.cert.org/ipa/>)library.

rwipaexport(1) exports a set of IP addresses from the IP AddressAssociation (IPA) library to a SiLK IPset, Bag, or Prefix Map.

IP and Port Labeling Files

addrtype(3). The Address Type file provides a way to map an IPv4address to an integer denoting the IP as internal, external, ornon-routable.

ccfilter(3). The Country Code file provides a mapping from an IPaddress to two-letter, lowercase abbreviation of the country what thatIP address is located. The abbreviations used by the Country Codeutility are those defined by ISO 3166-1 (see for example<https://www.iso.org/iso-3166-country-codes.html> or<https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2>).

pmapfilter(3). Prefix map files provide a way to map fieldvalues to string labels based on a user-defined map file. The mapfile is created by rwpmapbuild(1).

Run Time Plug-Ins

To use most of these plug-ins, the plug-in must be explicitly loadedinto an application by using the application's --plugin switch andgiving the plug-in's library name or path as the argument. For aplug-in named NAME, the library is typically named NAME.so.

app-mismatch(3). The application-mismatch plug-in helps to findservices running on unusual or non-typical ports by causingrwfilter(1) to only pass a flow record when the record'sapplication field is non-zero and its value is different than that inthe source port and destination port fields.

conficker-c(3). The conficker-c plug-in was written in March 2009to detect traffic that matches the signature of the .C variant of theConficker worm.

cutmatch(3). The cutmatch plug-in creates a field in rwcut(1)that provides a more user-friendly representation of the matchparameter value that rwmatch(1) writes into a SiLK Flow record'snext hop IP field.

flowkey(3). The flowkey plug-in adds a switch and a field thatcomputes a 32-bit hash for a flow record using the same algorithm asYAF uses for its flow key utility getFlowKeyHash(1).Since SiLK 3.15.0.

flowrate(3). The flowrate plug-in adds switches and fields tocompute packets/second, bytes/second, bytes/packet, payload-bytes, andpayload-bytes/second.

int-ext-fields(3). The internal/external plug-in makes availablefields containing internal and external IPs and ports (int-ip, ext-ip,int-port, and ext-port). It can be used to print, sort by, or groupby the internal or external IP or port, which is useful when a singleflow file contains flows in multiple directions. Since SiLK 3.0.0.

ipafilter(3). The IPA (IP Association) plug-in works withrwfilter to partition flows based on data in an IPA data store.rwfilter will automatically load this plug-in if it is available.The plug-in requires that SiLK be compiled with IPA support(<http://tools.netsa.cert.org/ipa/>).

silk-plugin(3) describes how to create and compile a new SiLKplug-in using C.

Packet and IPFIX Processing

These tools operate on packet capture (pcap(3)) files, IPFIX files,or files of NetFlow v5 data.

rwp2yaf2silk(1) converts a packet capture (pcap(3)) file---suchas a file produced by tcpdump(1)---to a single file of SiLK Flowrecords. rwp2yaf2silk assumes that the yaf(1)(<http://tools.netsa.cert.org/yaf/>) and rwipfix2silk(1) commandsare available on your system as it is a simple Perl wrapper aroundthose commands.

rwipfix2silk(1) converts a stream of IPFIX (Internet Protocol FlowInformation eXport) records to the SiLK Flow record format.

rwsilk2ipfix(1) converts a stream of SiLK Flow records to an IPFIX(Internet Protocol Flow Information eXport) format.

rwpcut(1) reads a packet capture file and print its contents in atextual form similar to that produced by rwcut.

rwpdedupe(1) detects and eliminates duplicate records from multiplepacket capture input files. See also rwdedupe(1).

rwpmatch(1) filters a packet capture file by writing onlypackets whose five-tuple and timestamp match corresponding records ina SiLK Flow file.

rwptoflow(1) reads a packet capture file and generates a SiLK Flowrecord for every packet.

rwpdu2silk(1) creates a stream of SiLK Flow records from a filecontaining NetFlow v5 PDU records.

Scan Detection

rwscan(1) attempts to detect scanning activity from SiLK Flowrecords. rwscan can produce files that may be loaded into adatabase and queried with rwscanquery.

rwscanquery(1) queries the scan database which has been populatedfrom database load files generated by rwscan.

Flow File Utilities

These utility applications operate on SiLK Flow files.

rwcat(1) reads SiLK Flow records from the files named on thecommand line, or from the standard input when no files are provided,and writes the SiLK records to the specified output file or to thestandard output if it is not connected to a terminal.

rwappend(1) appends the SiLK Flow records contained in the secondthrough final file name arguments to the records contained in thefirst file name argument.

rwcombine(1) reads SiLK Flow records from files named on thecommand line or from the standard input. For records where theattributes field contains the flow timed-out flag, rwcombineattempts to find the record with the corresponding continuationflag set and combine those records into a single flow. rwcombinewrites the results to the named output file or to the standard output.Since SiLK 3.9.0.

rwcompare(1) determines whether two SiLK Flow files contain thesame flow records.

rwdedupe(1) reads SiLK Flow records from files named on the commandline or from the standard input and writes the records to the namedoutput path or to the standard output, removing any duplicate flowrecords. Note that rwdedupe will reorder the records as part of itsprocessing.

rwnetmask(1) reads SiLK Flow records, zeroes the least significantbits of the source-, destination-, and/or next-hop-IP address(es), andwrites the resulting records to the named output path or to thestandard output.

rwrandomizeip(1) generates a new SiLK Flow file by substituting apseudo-random IP address for the source and destination IP addressesin given input file.

rwrecgenerator(1) generates SiLK Flow records using a pseudo-randomnumber generator; these records may be used to test SiLK applications.Since SiLK 3.6.0.

rwsplit(1) reads SiLK Flow records and generates a set of sub-filesfrom the input. The sub-files may be limited by flow-, byte-, orpacket-counts, or by unique IP count. In addition, the sub-file maycontain all the flows or only a sample of them.

rwswapbytes(1) generates a new SiLK Flow file by changing the byteorder of the records in a given input SiLK Flow file.

Utilities

rwfileinfo(1) prints information (type, version, etc.) about a SiLKFlow, IPset, Bag, or Prefix Map file.

rwsiteinfo(1) prints information about the sensors, classes, andtypes specified in the silk.conf(5) file.

rwtuc(1) generates SiLK flow records from textual input; the inputshould be in a form similar to what rwcut(1) generates.

rwfglob(1) prints to the standard output the list of files thatrwfilter would normally process for a given set of file selectionswitches.

num2dot(1) reads delimited text from the standard input, convertsinteger values in the specified column(s) (default first column) todotted-decimal IP address, and prints the result to the standardoutput.

rwgeoip2ccmap(1) reads the MaxMind GeoIP database and creates thecountry code mapping file that may be used by SiLK (seeccfilter(3)).

rwidsquery(1) invokes rwfilter to find flow records matchingSnort signatures.

rwresolve(1) reads delimited text from the standard input, attemptsto resolve the IP addresses in the specified column(s) to host names,and prints the result to the standard output.

silk_config(1) prints information about how SiLK was compiled; thisinformation may be used to compile and link other files and programsagainst the SiLK header files and libraries.

Deprecated Tools

These tools are deprecated. Their functionality is available in otherapplications.

mapsid(1) maps between sensor names and sensor IDs using the valuesspecified in the silk.conf(5) file. mapsid is deprecated as ofSiLK 3.0.0, and it will be removed in the SiLK 4.0 release. Thisfunctionality is available in rwsiteinfo(1).

rwguess(8) reads a file containing NetFlow v5 PDU records andprints the SNMP interfaces that are used most often and the number ofrecords seen for each interface. rwguess is deprecated as of SiLK3.8.3, and it will be removed in the SiLK 4.0 release. Similarfunctionality is available using a combination of rwpdu2silk(1),rwstats(1), and rwuniq(1).

rwip2cc(1) maps a (textual) list of IP addresses to their countrycode. rwip2cc is deprecated as of SiLK 3.0.0, and it will beremoved in the SiLK 4.0 release. This functionality is available inrwpmaplookup(1). 

Packing System

The SiLK Packing System is comprised of daemon applications thatcollect flow records (IPFIX flows from yaf(1) or NetFlow v5 or v9PDUs from a router), convert the records to the SiLK flow format,categorize the flows as incoming or outgoing, and write the records totheir final destination in binary flat files for use by the analysissuite. Files are organized in a time-based directory hierarchy withfiles covering each hour at the leaves.

The tools, configuration files, and plug-ins that comprise the SiLKPacking System are:

flowcap(8) listens to flow generators (devices which producenetwork flow data) and stores the data in temporary files prior totransferring the files to a remote machine for processing byrwflowpack.

rwflowpack(8) reads flow data either directly from a flow generatoror from files generated by flowcap, converts the data to the SiLKflow record format, categorizes the flow records according to rulesloaded from a packing-logic plug-in, and writes therecords either to hourly flat-files organized in a time-baseddirectory structure or to files for transfer to a remote machine forprocessing by rwflowappend.

rwflowappend(8) watches a directory for files containing smallnumbers of SiLK flow records and appends those records to hourly filesorganized in a time-based directory tree.

rwsender(8) watches an incoming directory for files, moves thefiles into a processing directory, and transfers the files to one ormore rwreceiver processes. Either rwsender or rwreceiver mayact as the server (i.e., listen for incoming network connections) withthe other acting as the client.

rwreceiver(8) accepts files transferred from one or morerwsender processes and stores them in a destination directory.Either rwsender or rwreceiver may act as the server with theother acting as the client.

rwpollexec(8) monitors a directory for incoming files and runs auser-specified command on each file.

rwpackchecker(8) reads SiLK Flow records and checks for unusualpatterns that may indicate data file corruption.

sensor.conf(5) is a configuration file for sensors and probes usedby rwflowpack and flowcap.

packlogic-twoway(3) is one of the plug-ins available that describea set of rules (the packing-logic) that rwflowpack may use whencategorizing flow records as incoming or output.

packlogic-generic(3) is one of the plug-ins available that describea set of rules (the packing-logic) that rwflowpack may use whencategorizing flow records as incoming or output. 

ENVIRONMENT

The following environment variables affect the tools in the SiLK toolsuite. The variables are listed alphabetically. (Additionalenvironment variables that are specific to a tool are documented onthe tool's manual page.)
PAGER
The applications that support paging their output use the value inthis environment variable when the SILK_PAGER environment variable isnot set and the application's --pager switch is not used.
PYTHONPATH
The Python modules and library files required to use PySiLK fromrwfilter(1), rwcut(1), rwsort(1), and rwuniq(1) as well asfrom Python itself are installed under SiLK's installation tree bydefault. It may be necessary to set or modify the PYTHONPATHenvironment variable so Python can find these files. For informationon using the PySiLK module, see silkpython(3) as well as the SiLKin Python handbook.
PYTHONVERBOSE
If the SiLK Python extension or plug-in fails to load, setting thisenvironment variable to a non-empty string may help you debug theissue.
RWRECEIVER_TLS_PASSWORD
Used by rwreceiver(8), this variable specifies the password to useto decrypt the PKCS#12 file specified in the --tls-pkcs12 switch.
RWSENDER_TLS_PASSWORD
Used by rwsender(8), this variable specifies the password to use todecrypt the PKCS#12 file specified in the --tls-pkcs12 switch.
SILK_ADDRESS_TYPES
This environment variable allows the user to specify the address typesmapping file used by the fields and switches specified in theaddrtype(3) manual page. The value may be a complete path or afile relative to SILK_PATH. See the ``FILES'' section for standardlocations of this file.
SILK_CLOBBER
The SiLK tools normally refuse to overwrite existing files. SettingSILK_CLOBBER to a non-empty value (other than 0) removes thisrestriction.
SILK_COMPRESSION_METHOD
For most tools that implement the --compression-method switch, thisenvironment variable is used as the value for that switch when it isnot provided. Since SiLK 3.13.0.
SILK_CONFIG_FILE
This environment variable contains the location of the siteconfiguration file, silk.conf(5). This variable has precedenceover all methods of finding the site file except for the--site-config-file switch on an application. For additionallocations where site configuration file may reside, see the ``FILES''section.
SILK_COUNTRY_CODES
This environment variable allows the user to specify the country codemapping file used by the fields and switches specified in theccfilter(3) manual page. The value may be a complete path or afile relative to SILK_PATH. See the ``FILES'' section for standardlocations of this file.
SILK_DATA_ROOTDIR
This variable gives the root of directory tree where the data store ofSiLK Flow files is maintained, overriding the location that iscompiled into the tools (/data). The rwfilter(1) andrwfglob(1) tools use this value when selecting which flow files toprocess unless the user passes the --data-rootdir switch to theapplication. In addition, the SiLK tools search for the siteconfiguration file, silk.conf, in this directory.
SILK_ICMP_SPORT_HANDLER
Modifies how ``buggy'' ICMP SiLK flow records are handled. ICMP typeand code are normally encoded in the destination port field. Prior toSiLK 3.4.0, a bug existed when processing IPFIX bi-flow ICMP recordswhere the type and code of the second records were stored in thesource port. SiLK 3.4.0 attempts to work-around this bad encoding bymodifying the buggy ICMP SiLK Flow records as they are initially read.However, the change in SiLK 3.4.0 removes a previous work-arounddesigned to fix issues with SiLK Flow records collected prior toSiLK 0.8.0 that originated as NetFlow v5 PDUs from some types of Ciscorouters. The ICMP records from these Cisco routers encoded the typeand code in the source port, but the bytes were swapped from thenormal encoding. When the SILK_ICMP_SPORT_HANDLER environmentvariable is set to "none", all work-arounds for buggy ICMP recordsare disabled and the source and destination ports remain unchanged.
SILK_IPSET_RECORD_VERSION
For the IPset family of tools, this environment variable is used asthe default value for the --record-version switch when the switchis not provided on the command line. The variable is also used byrwbagtool(1) and rwaggbagtool(1) when writing an IPset file.Since SiLK 3.7.0.
SILK_IPV6_POLICY
For tools that implement the --ipv6-policy switch, this environmentvariable is used as the value for that switch when it is not provided.
SILK_IP_FORMAT
For tools that implement the --ip-format switch, this environmentvariable is used as the value for that switch when it is not provided.Since SiLK 3.11.0.
SILK_LOGSTATS
This environment variable is currently an alias for theSILK_LOGSTATS_RWFILTER environment variable described below. Theability to log invocations may be extended to other SiLK tools infuture releases.
SILK_LOGSTATS_DEBUG
If the environment variable is set to a non-empty value,rwfilter(1) prints messages to the standard error about theSILK_LOGSTATS value being used and either the reason why the valuecannot be used or the arguments to the external program beingexecuted.
SILK_LOGSTATS_RWFILTER
When set to a non-empty value, rwfilter(1) treats the value asthe path to a program to execute with information about thisrwfilter invocation. Its purpose is to provide the SiLKadministrator with information on how the SiLK tool set is being used.
SILK_PAGER
When this variable is set to a non-empty string, most of theapplications that produce textual output (e.g., rwcut(1))automatically invoke this program to display their output a screen ata time. If set to an empty string, no paging of the output isperformed. The PAGER variable is checked when this variable is notset. The --pager switch on an application overrides this value.
SILK_PATH
This environment variable gives the root of the directory tree wherethe tools are installed. As part of its search for configurationfiles and plug-ins, a SiLK application may use this variable. See the``FILES'' section for details.
SILK_PLUGIN_DEBUG
When this variable is set to a non-empty value, an application thatsupports plug-ins prints status messages to the standard error as ittries to locate and open each of its plug-ins.
SILK_PYTHON_TRACEBACK
If a Python plug-in encounters a Python-related error and thisenvironment variable is set to a non-empty value, the applicationprints the error's traceback information to the standard error.
SILK_RWFILTER_THREADS
This variable sets the number of threads rwfilter(1) uses whilereading input files or files selected from the data store.
SILK_TEMPFILE_DEBUG
When set to 1, the library that manages temporary files forrwcombine(1), rwdedupe(1), rwsort(1), rwstats(1), andrwuniq(1) prints debugging messages to the standard error as itcreates, re-opens, and removes temporary files.
SILK_TIMESTAMP_FORMAT
For tools that implement the --timestamp-format switch, thisenvironment variable is used as the value for that switch when it isnot provided. Since SiLK 3.11.0.
SILK_TMPDIR
This variable is used by tools that write temporary files (e.g.,rwsort(1)) as the directory in which to store those files. Whenthis variable is not set, the value of the TMPDIR variable is checked.The --temp-directory switch on an application overrides this value.
SILK_UNIQUE_DEBUG
When set to 1, the binning engine used by rwstats(1) andrwuniq(1) prints debugging messages to the standard error.
TMPDIR
When this variable is set and SILK_TMPDIR is not set, temporary filesare created in this directory. The value given to an application's--temp-directory switch takes precedence over both variables.
TZ
When a SiLK installation is built to use the local timezone (todetermine if this is the case, check the "Timezone support" value inthe output from the --version switch on most SiLK applications),the value of the TZ environment variable determines the timezone inwhich timestamps are displayed and parsed. If the TZ environmentvariable is not set, the default timezone is used. Setting TZ to 0 orto the empty string causes timestamps to be displayed in and parsed asUTC. The value of the TZ environment variable is ignored when theSiLK installation uses UTC unless the user requests use of the localtimezone via a tool's --timestamp-format switch. For systeminformation on the TZ variable, see tzset(3) or environ(7).
 

FILES

The following file and directory locations are used by SiLK tools. Adollar sign preceding a name enclosed in braces (e.g.,"${SILK_PATH}"), refers to the value of the named environmentvariable.
${SILK_ADDRESS_TYPES}
${SILK_PATH}/share/silk/address_types.pmap
${SILK_PATH}/share/address_types.pmap
/usr/share/silk/address_types.pmap
/usr/share/address_types.pmap
Locations that applications check when searching for the address typesmapping file used by addrtype(3), rwpmapcat(1), andrwpmaplookup(1).
${SILK_CONFIG_FILE}
ROOT_DIRECTORY/silk.conf
${SILK_PATH}/share/silk/silk.conf
${SILK_PATH}/share/silk.conf
/usr/share/silk/silk.conf
/usr/share/silk.conf
Possible locations for the SiLK site configuration file which arechecked when the --site-config-file switch is not provided. Thevalue of ROOT_DIRECTORY/ is the root directory of the SiLKrepository; that directory may be specified by a command line switch(e.g., the --data-rootdir switch on rwfilter(1)), by theSILK_DATA_ROOTDIR environment variable, or by the default locationcompiled into the SiLK tools (/data).
${SILK_COUNTRY_CODES}
${SILK_PATH}/share/silk/country_codes.pmap
${SILK_PATH}/share/country_codes.pmap
/usr/share/silk/country_codes.pmap
/usr/share/country_codes.pmap
Locations that applications check when searching for the country codemapping file used by ccfilter(3), rwbag(1), rwpmapcat(1),rwpmaplookup(1), and other SiLK tools.
${SILK_DATA_ROOTDIR}/
/data/
Locations for the root directory of the data repository. Someapplications provide a command line switch to specify this value (forexample, the --data-rootdir switch on rwfilter(1),rwfglob(1), and rwsiteinfo(1)).
${SILK_PATH}/lib64/silk/
${SILK_PATH}/lib64/
${SILK_PATH}/lib/silk/
${SILK_PATH}/lib/
/usr/lib64/silk/
/usr/lib64/
/usr/lib/silk/
/usr/lib/
Directories that a SiLK application checks when attempting to load aplug-in.
${SILK_TMPDIR}/
${TMPDIR}/
/tmp/
Directory in which to create temporary files when a directory was notspecified using the application's --temp-directory switch.
 

SEE ALSO

Analysts' Handbook: Using SiLK for Network Traffic Analysis,The SiLK Reference Guide, SiLK Installation Handbook,<http://tools.netsa.cert.org/silk/>


 

Index

NAME
DESCRIPTION
Analysis Suite
Packing System
ENVIRONMENT
FILES
SEE ALSO

This document was created byman2html,using the manual pages.